In the dynamic realm of cybersecurity, staying updated on the latest vulnerabilities is imperative.
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 27-28, 2023.
During this period, The National Vulnerability Database published 29, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 5
Medium: 6
Low: 0
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-3171
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.
References: https://access.redhat.com/errata/RHSA-2023:5484
https://access.redhat.com/errata/RHSA-2023:5485
https://access.redhat.com/errata/RHSA-2023:5486
https://access.redhat.com/errata/RHSA-2023:5488
https://access.redhat.com/security/cve/CVE-2023-3171
https://bugzilla.redhat.com/show_bug.cgi?id=2213639
CWE-ID: CWE-789
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-50255
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: Deepin-Compressor is the default archive manager of Deepin Linux OS. Prior to 5.12.21, there's a path traversal vulnerability in deepin-compressor that can be exploited to achieve Remote Command Execution on the target system upon opening crafted archives. Users are advised to update to version 5.12.21 which addresses the issue. There are no known workarounds for this vulnerability.
References: https://github.com/linuxdeepin/deepin-compressor/commit/82f668c78c133873f5094cfab6e4eabc0b70e4b6
https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-rw5r-8p9h-3gp2
CWE-ID: CWE-22 CWE-23 CWE-26
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-51443
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
References: https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11
https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6
CWE-ID: CWE-703
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-51664
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
References: https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b
https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f
https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede
https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63
CWE-ID: CWE-74 CWE-77
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-52077
Base Score: 8.9
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 6.0
Description: Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.
References: https://github.com/mei23/misskey-v12/commit/78173e376f14fcc1987b02196f5538bf5b18225c
https://github.com/misskey-dev/misskey/commit/5150053275594278e9eb23e72d98b16593c4c230
https://github.com/nexryai/nexkey/commit/a4e4c9c47c5f84ec7ccd309bde59d4ae5d7e5a98
https://github.com/nexryai/nexkey/security/advisories/GHSA-pjj7-7hcj-9cpc
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-52075
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ReVanced API proxies requests needed to feed the ReVanced Manager and website with data. Up to and including commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2, ReVanced API lacks error caching causing rate limit to be triggered thus increasing server load. This causes a denial of service for all users using the API. It is recommended to implement proper error caching.
References: https://github.com/ReVanced/revanced-api/security/advisories/GHSA-852x-grxp-8p3q
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6879
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().
References: https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1
https://crbug.com/aomedia/3491
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found
This edition of the AppSecWorld's CVE Daily Digest provides a snapshot of the vulnerabilities published in National Vulnerability Database between December 27-28, 2023.
During this period, The National Vulnerability Database published 29, and these new Common Vulnerabilities and Exposures (CVEs) are classified as follows:
Critical: 2
High: 5
Medium: 6
Low: 0
Severity Not Assigned: 16
Identifying and understanding these vulnerabilities are pivotal steps towards enhancing security measures and creating a safer digital environment.
Now, let's delve deeper into AppSecWorld's CVE Daily Digest, spotlighting the Critical and High Severity vulnerabilities that demand immediate attention.
1. CVE-2023-3171
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: A flaw was found in EAP-7 during deserialization of certain classes, which permits instantiation of HashMap and HashTable with no checks on resources consumed. This issue could allow an attacker to submit malicious requests using these classes, which could eventually exhaust the heap and result in a Denial of Service.
References: https://access.redhat.com/errata/RHSA-2023:5484
https://access.redhat.com/errata/RHSA-2023:5485
https://access.redhat.com/errata/RHSA-2023:5486
https://access.redhat.com/errata/RHSA-2023:5488
https://access.redhat.com/security/cve/CVE-2023-3171
https://bugzilla.redhat.com/show_bug.cgi?id=2213639
CWE-ID: CWE-789
Common Platform Enumerations (CPE): Not Found
2. CVE-2023-50255
Base Score: 9.3
Base Severity: CRITICAL
Exploitability Score: 2.8
Impact Score: 5.8
Description: Deepin-Compressor is the default archive manager of Deepin Linux OS. Prior to 5.12.21, there's a path traversal vulnerability in deepin-compressor that can be exploited to achieve Remote Command Execution on the target system upon opening crafted archives. Users are advised to update to version 5.12.21 which addresses the issue. There are no known workarounds for this vulnerability.
References: https://github.com/linuxdeepin/deepin-compressor/commit/82f668c78c133873f5094cfab6e4eabc0b70e4b6
https://github.com/linuxdeepin/developer-center/security/advisories/GHSA-rw5r-8p9h-3gp2
CWE-ID: CWE-22 CWE-23 CWE-26
Common Platform Enumerations (CPE): Not Found
3. CVE-2023-51443
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implementation that runs on any commodity hardware. Prior to version 1.10.11, when handling DTLS-SRTP for media setup, FreeSWITCH is susceptible to Denial of Service due to a race condition in the hello handshake phase of the DTLS protocol. This attack can be done continuously, thus denying new DTLS-SRTP encrypted calls during the attack. If an attacker manages to send a ClientHello DTLS message with an invalid CipherSuite (such as `TLS_NULL_WITH_NULL_NULL`) to the port on the FreeSWITCH server that is expecting packets from the caller, a DTLS error is generated. This results in the media session being torn down, which is followed by teardown at signaling (SIP) level too. Abuse of this vulnerability may lead to a massive Denial of Service on vulnerable FreeSWITCH servers for calls that rely on DTLS-SRTP. To address this vulnerability, upgrade FreeSWITCH to 1.10.11 which includes the security fix. The solution implemented is to drop all packets from addresses that have not been validated by an ICE check.
References: https://github.com/signalwire/freeswitch/commit/86cbda90b84ba186e508fbc7bfae469270a97d11
https://github.com/signalwire/freeswitch/security/advisories/GHSA-39gv-hq72-j6m6
CWE-ID: CWE-703
Common Platform Enumerations (CPE): Not Found
4. CVE-2023-51664
Base Score: 7.3
Base Severity: HIGH
Exploitability Score: 2.1
Impact Score: 5.2
Description: tj-actions/changed-files is a Github action to retrieve all files and directories. Prior to 41.0.0, the `tj-actions/changed-files` workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets. This issue may lead to arbitrary command execution in the GitHub Runner. This vulnerability has been addressed in version 41.0.0. Users are advised to upgrade.
References: https://github.com/tj-actions/changed-files/commit/0102c07446a3cad972f4afcbd0ee4dbc4b6d2d1b
https://github.com/tj-actions/changed-files/commit/716b1e13042866565e00e85fd4ec490e186c4a2f
https://github.com/tj-actions/changed-files/commit/ff2f6e6b91913a7be42be1b5917330fe442f2ede
https://github.com/tj-actions/changed-files/security/advisories/GHSA-mcph-m25j-8j63
CWE-ID: CWE-74 CWE-77
Common Platform Enumerations (CPE): Not Found
5. CVE-2023-52077
Base Score: 8.9
Base Severity: HIGH
Exploitability Score: 2.3
Impact Score: 6.0
Description: Nexkey is a lightweight fork of Misskey v12 optimized for small to medium size servers. Prior to 12.23Q4.5, Nexkey allows external apps using tokens issued by administrators and moderators to call admin APIs. This allows malicious third-party apps to perform operations such as updating server settings, as well as compromise object storage and email server credentials. This issue has been patched in 12.23Q4.5.
References: https://github.com/mei23/misskey-v12/commit/78173e376f14fcc1987b02196f5538bf5b18225c
https://github.com/misskey-dev/misskey/commit/5150053275594278e9eb23e72d98b16593c4c230
https://github.com/nexryai/nexkey/commit/a4e4c9c47c5f84ec7ccd309bde59d4ae5d7e5a98
https://github.com/nexryai/nexkey/security/advisories/GHSA-pjj7-7hcj-9cpc
CWE-ID: CWE-863
Common Platform Enumerations (CPE): Not Found
6. CVE-2023-52075
Base Score: 7.5
Base Severity: HIGH
Exploitability Score: 3.9
Impact Score: 3.6
Description: ReVanced API proxies requests needed to feed the ReVanced Manager and website with data. Up to and including commit 71f81f7f20cd26fd707335bca9838fa3e7df20d2, ReVanced API lacks error caching causing rate limit to be triggered thus increasing server load. This causes a denial of service for all users using the API. It is recommended to implement proper error caching.
References: https://github.com/ReVanced/revanced-api/security/advisories/GHSA-852x-grxp-8p3q
CWE-ID: CWE-755
Common Platform Enumerations (CPE): Not Found
7. CVE-2023-6879
Base Score: 9.0
Base Severity: CRITICAL
Exploitability Score: 2.2
Impact Score: 6.0
Description: Increasing the resolution of video frames, while performing a multi-threaded encode, can result in a heap overflow in av1_loop_restoration_dealloc().
References: https://aomedia.googlesource.com/aom/+/refs/tags/v3.7.1
https://crbug.com/aomedia/3491
CWE-ID: CWE-20
Common Platform Enumerations (CPE): Not Found